Internal Control over Financial Reporting – Guidance for Smaller Public Companies Volume I : Executive Summary... Among its provisions, Section 404 requires management of public companie
Trang 1Internal Control over Financial Reporting – Guidance for Smaller Public Companies
Volume I : Executive Summary
Trang 2Committee of Sponsoring Organizations
of the Treadway Commission
Board Members
Larry E Rittenberg
COSO Chair
Mark Beasley
American Accounting Association
Nick Cyprus
Financial Executives International
Charles E Landes
American Institute of Certified
Public Accountants
David A Richards
The Institute of Internal Auditors
Jeffrey Thomson
Institute of Management Accountants
PricewaterhouseCoopers LLP – Author
Principal Contributors
Miles Everson (Project Leader)
Partner
New York City
Frank Martens
Director Vancouver, Canada
Frank Frabizzio
Partner
Philadelphia
Tom Hyland
Partner New York City
Paul Tarwater
Partner Dallas
Mark Cohen
Senior Manager Boston
Erinn Hansen
Senior Manager
Philadelphia
Mario Patone
Manager Philadelphia
Chris Paul
Senior Associate Boston
Shurjo Sen
Manager New York City
Project Task Force to COSO
Guidance
Deborah Lambert (Chair)
Partner
Johnson, Lambert & Co.
Rudolph J J McCue
WHPH, Inc.
Christine Bellino
Jefferson Wells International, Inc
Douglas F Prawitt
Professor of Accounting Brigham Young University
Joseph V Carcello
Professor of Accounting University of Tennessee
Malcolm Schwartz
CRS Associates LLC
Members at Large
Carolyn V Aver
CFO
Agile Software Corporation
Brian O’Malley
Chief Audit Executive
Nasdaq
Dan Swanson
President and CEO
Dan Swanson & Associates
Kristine M Brands
Director of Financial Systems Inamed, A Division of Allergan
Andrew Pinnero
JLC/Veris Consulting LLC
Dominique Vincenti
Director of Professional Practice The Institute of Internal Auditors
Serena Dávila
Director for Private Companies
& Small Business Financial Executives International
Pamela S Prior
Director of Internal Control & Analysis Tasty Baking Company
Kenneth W Witt
American Institute of Certified Public Accountants
Gus Hernandez
Partner Deloitte & Touche, LLP
James K Smith, III
Vice President & CFO Phonon Corp.
Observer
Jennifer Burns
Professional Accounting Fellow
Trang 3The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992 issued
Internal Control – Integrated Framework to help businesses and other entities assess and enhance
their internal control systems Since that time the Framework has been recognized by executives,
board members, regulators, standard setters, professional organizations and others as an appropriate
comprehensive Framework for internal control
Also, changes have taken place in the financial reporting and related legal and regulatory
environments Significantly, the Sarbanes-Oxley Act was enacted into United States law in 2002
Among its provisions, Section 404 requires management of public companies to annually assess
and report on the effectiveness of internal control over financial reporting
With these developments and the passage of time, the Framework nonetheless remains relevant
today and is used by management of public companies large and small in complying with Section
404 Many companies, however, have experienced unanticipated costs, with smaller companies
facing unique challenges in implementing Section 404
This document neither replaces nor modifies the Framework, but rather provides guidance on how
to apply it It is directed at smaller public companies – although also usable by large ones – in
using the Framework in designing and implementing cost-effective internal control over financial
reporting Although this guidance is designed primarily to help management with establishing and
maintaining effective internal control over financial reporting, it also may be useful to management
in more efficiently assessing internal control effectiveness, in the context of assessment guidance
provided by regulators
This report is in three volumes The first consists of this Executive Summary, providing a high level
summary for companies’ boards of directors and senior management
The second provides an overview of internal control over financial reporting in smaller businesses,
including descriptions of company characteristics and how they affect internal control, challenges
smaller businesses face, and how management can use the Framework Presented are twenty
fundamental principles drawn from the Framework, together with related attributes, approaches
and examples of how smaller businesses can apply the principles in a cost-effective manner
Internal Control over Financial Reporting –
Guidance for Smaller Public Companies
Volume I : Executive Summary
June 2006
Trang 4The third contains illustrative tools to assist management in evaluating internal control Managers may use the illustrative tools in determining whether the company has effectively applied the principles
It is expected that senior management will find the Executive Summary and Overview chapter of Volume II of particular interest and might refer to certain of the following chapters as needed, and that other managers will use Volumes II and III as a reference source for guidance in those areas of particular need
Characteristics of “Smaller” Companies
Although there is a tendency to want a “bright line” to define businesses as small, medium-size or large, this guidance does not provide such definitions It uses the term “smaller” rather than “small” business, suggesting there is a wide range of companies to which the guidance is directed The focus is on businesses that have many of the following characteristics:
Fewer lines of business and fewer products within lines Concentration of marketing focus, by channel or geography Leadership by management with significant ownership interest or rights Fewer levels of management, with wider spans of control
Less complex transaction processing systems and protocols Fewer personnel, many having a wider range of duties Limited ability to maintain deep resources in line as well as support staff positions such as legal, human resources, accounting and internal auditing
None of these characteristics by themselves is definitive Certainly, size by whatever measure – revenue, personnel, assets, or other – affects and is affected by these characteristics, and shapes our thinking about what constitutes “smaller.”
Costs and Benefits
Management and other stakeholders of public companies, particularly smaller ones, have focused great attention on the cost of complying with Section 404, with less attention given to the associated benefits Although it may be difficult to measure impacts associated with inaccurate financial reporting, market reactions to corporate misstatements clearly signal that the investment community does not readily tolerate inaccurate reporting, regardless of company size In that respect and with other benefits described below, effective internal control adds significant value Among the most significant benefits is the strengthened ability of companies to access the capital markets, providing capital which drives innovation and economic growth Other benefits include reliable and timely information supporting management’s decision-making, consistent
•
•
•
•
•
•
•
While incremental cost to
assess and report on internal
control has become a focal
point for many corporate
stakeholders, it is useful
to balance costs with the
related benefits
Trang 5mechanisms for processing transactions across an organization enhancing speed and reliability,
and ability to accurately communicate business performance with partners and customers
Meeting Challenges in Attaining Cost-Effective
Internal Control
The characteristics of smaller companies provide significant challenges for cost-effective internal
control This particularly is the case where managers view control as an administrative burden to
be added onto existing business systems, rather than recognizing the business need and benefit
for effective internal control that is integrated with core processes
Among the challenges are:
Obtaining sufficient resources to achieve adequate segregation of duties
Management’s ability to dominate activities, with significant opportunities for management
override of control
Recruiting individuals with requisite financial reporting and other expertise to serve
effectively on the board of directors and audit committee
Recruiting and retaining personnel with sufficient experience and skill in accounting and
financial reporting
Taking management attention from running the business in order to provide sufficient
focus on accounting and financial reporting
Maintaining appropriate control over computer information systems with limited technical
resources
While all companies incur incremental costs to design and report on internal control over
financial reporting, costs can be proportionally higher for smaller companies Yet despite resource
constraints, smaller businesses usually can meet this challenge and succeed in attaining effective
internal control in a reasonably cost-effective manner This is accomplished in a variety of ways,
outlined in this guidance, many of which already exist today in smaller companies and for which
management can “take credit” in considering internal control effectiveness
Wide and Direct Control from the Top
Many smaller businesses are dominated by the company’s founder or other leader who exercises a
great deal of discretion and provides personal direction to other personnel While key to enabling the
company to meet its growth and other objectives, this positioning also can contribute significantly
to effective internal control over financial reporting In-depth knowledge of different facets of the
business – its operations, processes, array of contractual commitments and business risks – enables
its leader to know what to expect in reports generated by the financial reporting system and to
follow up as needed when unanticipated variances surface A related downside in terms of ability
to override established control procedures can be addressed with specified protocols
•
•
•
•
•
•
With use of this guidance, management of smaller companies can meet the challenges of their unique environments, lessening incremental costs and achieving the benefits of effective internal control.
Trang 6Effective Boards of Directors
Smaller companies typically have relatively straightforward business operations with less complex business structures, enabling directors to gain more in-depth knowledge of business activities Directors may have been closely involved with the company during its evolution and have a strong historical perspective Coupled with what often is exposure to and frequent communication with
a wide range of managers, this assists the board and its audit committee in performing oversight responsibilities for financial reporting in a highly effective manner
Compensating for Limited Segregation of Duties
Resource constraints may limit the number of employees, sometimes resulting in concerns regarding segregation of duties There are, however, actions management can take in order to compensate for potential inadequacy These include managers reviewing system reports of detailed transactions; selecting transactions for review of supporting documents; overseeing periodic counts of physical inventory, equipment or other assets and comparing them with accounting records; and reviewing reconciliations of account balances or performing them independently In many small companies managers already are performing these and other procedures supporting reliable reporting, and credit should be taken for their contribution to effective internal control
Information Technology
The reality of limited internal information technology resources often can be dealt with through use of software developed and maintained by others These packages still require controlled implementation and operation, but many of the risks associated with in-house developed systems are avoided Typically there is a limited need for program change controls, inasmuch as changes are done exclusively by the developer company, and generally a smaller company’s personnel lack technical expertise to make unauthorized modifications Such commercially available packages also bring advantages in the form of embedded facilities for controlling which employees can access
or modify specified data, performing checks on data processing completeness and accuracy, and maintaining related documentation
Further advantage can be gained by utilizing software that comes with a variety of built-in application controls that can improve consistency of operation, automate reconciliations, facilitate reporting of exceptions for management review, and support proper segregation of duties Smaller companies can take advantage of these capabilities, ensuring “flags” or “switches” are properly set to take advantage of the software’s capabilities
Monitoring Activities
The monitoring component is an important part of the Framework, where a wide range of activities routinely performed by managers in running a business can provide feedback on the functioning of other components of the internal control system Management of many smaller
Trang 7Management of many smaller businesses routinely perform monitoring activities in running the business, and they should take sufficient
“credit” for their important contribution to internal control effectiveness
businesses regularly perform such procedures, but have not always taken sufficient “credit” for
their contribution to internal control effectiveness These activities, usually performed manually
and sometimes supported by computer software, should be fully considered in designing and
assessing internal control
From a different perspective, there is another way monitoring activities can promote efficiency
After the first year of assessing and reporting on internal control, many companies repeated the
assessment process in year two with little if any cost savings
A different approach, however, can be taken to promote efficiency By focusing on monitoring
activities already in place or that might be added with little additional effort, management can
identify significant changes to the financial reporting system since the prior year, thereby gaining
insight into where to target more detailed testing While for effective internal control all five
components must be in place and operating effectively and some testing of each component
is necessary, highly effective monitoring activities can both offset certain shortcomings in other
components and sharpen targeting of assessment work with resulting overall efficiency
Achieving Further Efficiencies
In addition to considering the above, companies can gain additional efficiencies in designing and
implementing or assessing internal control by focusing on only those financial reporting objectives
directly applicable to the company’s activities and circumstances, taking a risk based approach to
internal control, right sizing documentation, viewing internal control as an integrated process, and
considering the totality of internal control
The COSO Framework recognizes that an entity must first have in place an appropriate set of financial
reporting objectives At a high level, the objective of financial reporting is to prepare reliable financial
statements, which involves attaining reasonable assurance that the financial statements are free
from material misstatement Flowing from this high level objective, management establishes
supporting objectives related to the company’s business activities and circumstances and their
proper reflection in the company’s financial statement accounts and related disclosures These
objectives may be influenced by regulatory requirements or by other factors that management
may choose to incorporate when setting its objectives
Efficiencies are gained by focusing on only those objectives directly applicable to the business and
related to its activities and circumstances that are material to the financial statements Experience
shows that this can be most efficiently accomplished by beginning with a company’s financial
statements and identifying supporting objectives for those business activities, processes and
events that can materially affect the financial statements In this way, a basis is formed for giving
attention only to what is truly relevant to the reliability of financial reporting for that company
Trang 8Focusing on Risk
While management considers risks in several respects, its overarching consideration is the risks
to key objectives, including the risks to reliable financial reporting Risk-based means focusing
on quantitative and qualitative factors that potentially affect the reliability of financial reporting, and identifying where in transaction processing or other activities related to financial statement preparation something could go wrong By focusing on key objectives management can tailor the scope and depth of risk assessments needed Often risk is considered in the context of initially designing and implementing internal control, where risks to objectives are identified and analyzed
to form a basis for determining how the risks should be managed Another is in the context of assessing whether internal control is effective in mitigating risks to objectives
In the context of assessing internal control effectiveness, there sometimes is a tendency to consider internal control using generic lists of controls appropriate to a “typical” organization While these tools in questionnaire or other form may be useful, an unintended result is that management sometimes focuses on “standard” or “typical” controls that simply are not relevant to the company’s financial reporting objectives or risks associated with those objectives A related problem encountered is starting assessments with the details of accounting systems and documenting them in extreme depth without recognizing whether the entirety of processes are truly relevant
to achieving reliable financial reporting This is not to say that such approaches cannot be useful,
as they can be However, whatever approach is followed, efficiencies are gained when attention
is directed to the objectives management has established specific to the company’s business activities and circumstances
Right-Sizing Documentation
Documentation of business processes and procedures and other elements of internal control systems is developed and maintained by companies for a number of reasons One is to promote consistency in adhering to desired practices in running the business Effective documentation assists in communicating what is to be done, and how, and creates expectations of performance Another purpose of documentation is to assist in training new personnel and as a refresher or reference tool for other employees Documentation also provides evidence to support reporting
on internal control effectiveness
The level and nature of documentation varies widely by company Certainly, large companies usually have more operations to document, or greater complexity in financial reporting processes, and therefore find it necessary to have more extensive documentation than smaller ones Smaller companies often find less need for formal documentation, such as in-depth policy manuals, systems flowcharts of processes, organization charts, job descriptions, and the like In smaller companies, typically there are fewer people and levels of management, closer working relationships and more frequent interaction, all of which promotes communication of what is expected and what
is being done A smaller business, for example, might document human resources, procurement
A risk based approach can
bring significant efficiencies
to internal control
assessments.
Trang 9or customer credit policies with memoranda and supplement the memoranda with guidance
provided by management in meetings A larger company will more likely have more detailed
policies (or policy manuals) to guide their people in better implementing controls
Questions arise as to the extent of documentation needed to deem internal control over financial
reporting as effective The answer is, of course, it depends on circumstances and needs Some
level of documentation is always necessary to assure management that its control processes are
working, such as documentation to help assure management that all shipments are billed, or
periodic reconciliations are performed In a smaller business, however, management is often directly
involved in performing control procedures and for those procedures there may be only minimal
documentation because management can determine that controls are functioning effectively
through direct observation However, there must be information available to management that
the accounting systems and related procedures, including actions taken in connection with
preparation of reliable financial statements, are well designed, well understood, and carried out
properly
When management asserts to regulators, shareholders or other third parties on the design
and operating effectiveness of internal control over financial reporting, management accepts
a higher level of personal risk and typically will require documentation of major processes
within the accounting systems and important control activities to support its assertions
Accordingly, management will review to determine whether its documentation is appropriate
to support its assertion In considering the amount of documentation needed, the nature and
extent of the documentation may be influenced by the company’s regulatory requirements
This does not necessarily mean that documentation will or should be more formal, but it does
mean that there needs to be evidence that the controls are designed and working properly
In addition, when an external auditor will be attesting to the effectiveness of internal control,
management will likely be expected to provide the auditor with support for its assertion That
support would include evidence that the controls are properly designed and are working
effectively In considering the nature and extent of documentation needed by the company,
management should also consider that the documentation to support the assertion that
controls are working properly will likely be used by the external auditor as part of his or her audit
evidence
There may still be instances where policies and procedures are informal and undocumented
This may be appropriate where management is able to obtain evidence captured through the
normal conduct of the business that indicates personnel regularly performed those controls
However, it is important to keep in mind that control processes, such as risk assessment,
cannot be performed entirely in the mind of the CEO or CFO without some documentation
of the thought process and management’s analysis Many of the examples contained later in
this guidance illustrate how management can capture evidence through the normal course
of business
The extent of documentation supporting design and operating effectiveness
of the five internal control components is a matter of judgment, and should be done with cost-effectiveness
in mind.
Trang 10Documentation of internal control should meet business needs and be commensurate with circumstances The extent of documentation supporting design and operating effectiveness of the five internal control components is a matter of judgment, and should be done with cost-effectiveness in mind Where practical, the creation and retention of evidence should be embedded with the various financial reporting processes
Viewing Internal Control as an Integrated Process
It is useful to view the Framework’s five internal control components as comprising an integrated process, which indeed internal control is A process perspective highlights the interrelationship of the components, and recognizes that management has flexibility in choosing controls to achieve its objectives and that an organization can adjust and improve its internal control over time
As noted, the internal control process begins with management setting financial reporting objectives relevant to the company’s particular business activities and circumstances Once set, management identifies and assesses a variety of risks to those objectives, determines which risks could result in a material misstatement in financial reporting, and determines how the risks should
be managed through a range of control activities Management implements approaches to capture, process and communicate information needed for financial reporting and other components of the internal control system All this is done in context of the company’s control environment, which
is shaped and refined as necessary to provide the appropriate tone at the top of the organization and related attributes These components all are monitored to help ensure that controls continue
to operate properly over time An overview of Framework’s components working together from a process perspective can be depicted as follows:
An assessment of internal
control considers whether
the components, all
logically interrelated,
are working together to
accomplish the company’s
financial reporting
objectives